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ABSTRACT 

The United States National Aeronautics and Space 
Administration (NASA) is in the midst of a space 
exploration program called Constellation to send crew and 
cargo to the international Space Station, to the moon, and 
beyond. As part of the Constellation program, a new 
launch vehicle, Ares I, is being developed by NASA 
Marshall Space Flight Center. Designing a launch vehicle 
with high reliability and increased safety requires a 
significant effort in understanding design variability and 
design uncertainty at the various levels of the design 
(system, element, subsystem, component, etc.) and 
throughout the various design phases (conceptual, 
preliminary design, etc.). 

In a previous paper [1] we discussed a probabilistic 
functional failure analysis approach intended mainly to 
support system requirements definition, system design, and 
element design during the early design phases. This paper 
provides an overview of the application of probabilistic 
engineering methods to support the detailed 
subsystem/component design and development as part of 
the “Design for Reliability and Safety” approach for the 
new Ares I Launch Vehicle. 

Specifically, the paper discusses probabilistic engineering 
design analysis cases that had major impact on the design 
and manufacturing of the Space Shuttle hardware. The 
cases represent important lessons learned from the Space 
Shuttle Program and clearly demonstrate the significance of 
probabilistic engineering analysis in better understanding 
design deficiencies and identifying potential design 
improvement for Ares I. The paper also discusses the 
probabilistic functional failure analysis approach applied 
during the early design phases of Ares I and the forward 
plans for probabilistic design analysis in the detailed design 
and development phases. 


1.0 BACKGROUND 

This section provides some background on the new NASA 
launch vehicles, and an overview of some of NASA 
applications of probabilistic methods since the Challenger 
accident. 

1.1 New NASA Launch Vehicles 

The new NASA launch vehicles, the Ares I and Ares V, are 
shown in Fig. 1 in comparison with the heritage vehicles, 
the Saturn V and the Space Shuttle. The arrows between 
the vehicles in the graphic indicate hardware commonality. 
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Figure 1. Ares I and Ares V Launch Vehicles in 
Comparison to Heritage Launch Vehicles 


The Ares I launch vehicle, being developed by NASA’s 
Marshall Space Flight Center (MSFC), consists of three 
major elements as shown in Fig. 2: A solid First Stage (FS), 
an Upper Stage (US), and an Upper Stage Engine (USE). 

Its payload will be a crew exploration vehicle, called Orion, 
which is being developed by the NASA Johnson Space 
Center (JSC). Orion consists of a crew exploration module, 
a service module, a spacecraft adapter, and a launch abort 
system (LAS). 


The intended purpose of the Ares I is to safely deliver crew 
and cargo to a specified ascent target. This capability will 
support two separate missions: to carry the payloads to the 
International Space Station (ISS); and to deliver crew to 
orbit for rendezvous with elements of Ares V and lunar 
modules for lunar missions. Primary objectives of the Ares 
I design are to significantly increase safety and reliability 
and reduce the cost of accessing space. 
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Figure 2. Ares I Expanded View 

The Ares V, also being developed by MSFC, consists of the 
following as shown in Fig. 3: a liquid Core Stage with 6 
RS-68 engines augmented by 2 five-and-one-half segment 
Solid Rocket Boosters (SRB); an Interstage; an Earth 
Departure Stage (EDS) with a single J-2X liquid rocket 
engine; and a large Shroud. 


lunar injection of the module for lunar missions. The Ares 
V will also deliver cargo to orbit and potentially deliver a 
single-launch solution to the Moon with combined CEV 
and lunar lander payloads. 

Before getting into the discussion of the subject of this 
paper, it is important to note that the Constellation Program 
has in place ambitious quantitative requirements for Loss of 
Mission (LOM) and Loss of Crew (LOC). The LOM and 
LOC requirements (or equivalents) have been allocated to 
the Ares I and its major elements, the FS, the US, and the 
USE. Satisfying these requirements will constitute an 
ambitious goal that has forced a paradigm shift at NASA. 
This has set the stage for establishing a working 
environment that integrates various disciplines (safety, 
reliability, design, etc.) and various organizations 
(engineering design organizations, project office, and safety 
and mission assurance organization) more effectively to 
support the design process. Within this integrated 
environment, this paradigm shift has also set the stage for a 
new era at NASA in applying a sound probabilistic design 
approach to analyze, understand, and influence the design 
up front and throughout the different phases of the design. 
This paper discusses the application of probabilistic 
engineering methods that have been used to support the 
early phases of design and will be used to support the 
detailed subsystem/component design and development as 
part of the “Design for Reliability and Safety” approach for 
the new Ares I Launch Vehicle. 

1 .2 Overview of NASA Applications of Probabilistic 
Methods 
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Figure 3. Ares V Expanded View 

The intended purpose of the Ares V is to deliver a lunar 
module to earth orbit with the EDS then performing a trans- 


After the Space Shuttle Challenger accident in 1986, 
NASA began incorporating quantitative risk assessments 
(QRA) in decisions concerning the Space Shuttle and other 
NASA projects. For example, QRA has been extensively 
used in areas such as risk management of flight hardware, 
trade studies, and reliability prediction of new hardware. In 
the risk management area, life limits based on QRA are 
being used in the Space Shuttle Main Engine (SSME) 
program [2]. Some of these cases are partially or fully 
discussed in this paper. 

At the system level, NASA Headquarters has led several 
studies to predict the overall Space Shuttle risk. The first of 
these Space Shuttle QRA studies was conducted in 1988 by 
Planning Research Corporation [3]. In 1995, Science 
Applications International Corporation (SAIC) conducted a 
comprehensive QRA study [4]. In July 1996, NASA 
conducted a two year study (October 1996 - September 
1998) to develop a model that provided the overall Space 


Shuttle risk and estimates of risk changes due to proposed 
Space Shuttle upgrades [5]. 

After the Columbia accident, NASA conducted a QRA on 
External Tank (ET) foam. This study was the most focused 
and most extensive risk assessment that NASA has 
conducted in recent years. It used a dynamic, physics- 
based, integrated system analysis approach to understand 
the integrated system risk due to ET foam loss in flight [6]. 
Most recently, a probabilistic risk assessment (PRA) for 
Ares I has been performed in support of the Constellation 
program. 

In the following sections we discuss some of the Space 
Shuttle applications in probabilistic engineering design 
analysis and the current and potential future application of 
probabilistic engineering design analysis for Ares I vehicle 

2.0 THE NEED FOR PROBABILISTIC 
ENGINEERING DESIGN ANALYSIS - 
DETERMINISTIC VERSUS PROBABILISTIC 
DESIGN 

To determine the factor of safety for a design, the designer 
traditionally assumes a single value for stress that is equal 
to some maximum or nominal value So, depending on how 
the individual defines the factor of safety for a particular 
application. Similarly, the strength is assumed to be 
deterministic and equal to some nominal or minimum value 
Ro. As shown in Fig. 4, if nominal values are used we can 
end with two different designs that have the same factor of 
safety but different reliabilities. This illustrates why a 
probabilistic 


Probabilistic engineering design analysis can be applied at 
the various phases of the design as long as information is 
available on the strength or capability (materials properties, 
etc.) and stress or demand (loads, environments, etc.) 
parameters. Generally this would be during the preliminary 
design (PD) phase forward. For instance, during the 
subsystem and component design and development, 
probabilistic design analysis can be used to assist the 
designer in making decisions on the best material or on the 
best balanced design with respect to several design criteria. 
At the hardware certification stage, probabilistic design can 
be used to determine if a component meets its life 
requirements. Finally, probabilistic design can be used to 
manage the risk of a product or system put into service. In 
this paper, probabilistic design will be discussed for the 
situation in which it is felt to have the greatest potential for 
a large influence on the design, namely in the detailed 
design and development phases. 

In the probabilistic engineering design approach during 
design and development, each parameter controlling design 
life can be defined and treated as a random variable. These 
life-controlling parameters are uncertain for two reasons. 
First, it is known that there will be some amount of 
variability regardless of how well the parameter is known. 
Secondly, it is not known at this phase how well the 
engineering analyses and models being used will correlate 
with the actual component parameters. Both of these 
uncertainties contribute to variability. This would mandate 
the use of engineering safety factors in traditional 
deterministic design. Probabilistic design analysis permits 
the assessment of the actual distributions of these life- 
controlling factors and of the interactions with each other, 
thus providing an evaluation of component risk. 



RB-ATJVHY 

SMALL 

RELIABILITY 



Figure 4. Situation Where Factors of Safety are the Same 
but Reliabilities are Different 

engineering design analysis approach is recommended in 
support the conventional deterministic approach to account 
for the uncertainty in the design parameters [7,8]. 


For example, if it were desired to calculate the low cycle 
fatigue (LCF) life of a specific feature of an impeller rotor, 
it would be a function of rotor geometry and material 
properties (e.g., density, modulus of elasticity, and 
coefficient of thermal expansion) and the cyclic stress from 
rotor speed and other loads. In simplistic terms, it is 
necessary to assign distributions to each of these basic life 
drivers, (e.g., modulus of elasticity, coefficient of thermal 
expansion, rotor speed), have a set of equations to map 
these basic life drivers into the high level life-controlling 
parameters (e.g., crack growth rate), transform the high 
level life controlling parameters into an LCF life via a 
failure model, and then iterate through these steps several 
times until a distribution of lifetimes is constructed. 

To describe the probabilistic design approach, a generalized 
probabilistic design analysis model structure is shown in 


Fig. 5. Although no two probabilistic models are identical, 
all of them contain similar elements of Fig. 5. 



probabilistic study on the potential removal of External 
Tank weld inspections [11]. In 1998 the reliability of a 
critical weld of the Space Shuttle SRB aft skirt was 
analyzed using the probabilistic analysis software known as 
NESSUS [12]. Also in 1998, as part of SSME upgrades 
introduced after the engine was put in service, NASA and 
Rocketdyne developed probabilistic engineering models to 
evaluate the reliability of several failure modes for the 
channel wall nozzle option. Between 1998 and 2000, as 
part of their support to the Space Shuttle risk assessment, 
Pratt &Whitney developed probabilistic models for about 
30 failure modes for the SSME turbo-pumps [13]. Many 
other application of probabilistic engineering analysis at 
NASA can be found in [14]. 


3.1 The SSME Alternate Turbopumps (ATD) Case 

In this section we discuss an application of probabilistic 
engineering modeling and analysis during the design and 
development of the SSME ATD. This example application 
addresses the fracture failure mode of the inner race on the 
roller bearing of the Pratt & Whitney High Pressure Fuel 
Turbopump (HPFTP). The inner race fracture location is 
shown in Fig. 6. 


Figure 5. Generalized Probabilistic Design Analysis Model 
Structure 

As indicated by the life driver variation element, all 
important parameters which affect life are assigned a range 
or distribution of realistic values rather than some “worst 
case” value. Note that several different probability/ 
statistical distributions exist, such as Weibull, normal, 
lognormal, beta, uniform, etc., for describing the pattern of 
variation of life drivers. 
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3.0 THE SPACE SHUTTLE APPLICATIONS 


Figure 6. Roller Bearing Inner Race Fracture Location 


Right after the Challenger accident an extensive 
probabilistic engineering analysis methodology 
development was conducted by the NASA Jet Propulsion 
Laboratory (JPL). This included several applications to 
Space Shuttle hardware [9]. Since then a large number of 
probabilistic engineering design analysis cases have been 
performed within NASA in support of the decision-making 
process for the Space Shuttle program. A few examples 
will follow. 


The analysis intent was to estimate the probability of 
fracture due to the hoop stress exceeding the material 
strength. A Monte Carlo simulation model of the failure 
logic was developed with probabilistic models applied to 
the stress contributors and material capability, expressed as 
allowable loads. Fig. 7 illustrates the model. 


In 1987 an extensive probabilistic engineering analysis 
effort was conducted to evaluate the reliability of the 
turbine wheels for the auxiliary power units (APU) of the 
Space Shuttle SRBs [10]. In 1994 NASA conducted a 



Figure 7. HPFTP Roller Bearing Inner Race Probability 
Model 


In order to calculate the hoop stress it was necessary to 
determine materials properties variability. Of those 
materials properties that affected the total inner race hoop 
stress such as, for example, the modulus of elasticity and 
the coefficient of thermal expansion, a series of equations 
was derived which mapped these life drivers into the total 
inner race hoop stress. Similarly, a distribution on the 
materials capability was derived. In this case, life drivers 
such as fracture toughness, crack depth and length, yield 
strength, among others, were important. The resulting 
materials strength distribution was then obtained through a 
series of similar equations. 

A Monte Carlo simulation was then used to calculate a 
random hoop stress and random materials strength. If the 
stress exceeded the strength in the simulation, a failure was 
assigned to the run. Otherwise, a success was recorded. 
After a large number of simulation runs was conducted, a 
failure distribution was established for the inner race. 

To summarize, engineering information with statistical 
models can be used to probabilistically characterize design 
parameters and determine design reliability. The 
probabilistic models can be used for both prediction as well 
as performing sensitivity analyses to identify design 
improvements. In fact, the analysis detailed above led to 
uncovering a major material capability problem for the 
turbo pump bearing cage caused by induced manufacturing 
stresses. The material could not withstand the predicted 
flight loads which resulted in a crack in the bearing cage. 

A material with different properties was used which 
reduced the probability of a crack to near zero and 
significantly improved the reliability of the turbo pump 
bearing cage. 


4.0 THE ARES I APPLICATIONS 

In this section we provide an overview of Ares I 
probabilistic engineering design applications during the 
system design phase and discuss the current and forward 
plans for the detailed design and development phases 

4.1 The Ares I Probabilistic Analysis during Early 
Design Phases 

The following is an overview of the probabilistic functional 
failure analysis (PFFA) approach that was adopted by the 
Ares I project during initial design in preparation for the 
preliminary design phase. 

The PFFA approach is a dynamic top-down scenario-based 
approach intended to identify, model, and understand high 
system risk drivers for the purpose of influencing both 
system design and system requirements. This approach is 
implemented upfront during the initial system design phase 
preceding the preliminary design review (PDR). The focus 
of the Ares I PFFA was on energetic or dynamic events and 
significant changes of state for the launch vehicle that 
could lead to LOM or LOC. 

The first step in the PFFA was to define the mission 
timeline of system level functions. The applicable Ares I 
mission timeline includes the pre-launch and ascent phases. 
The system level functions during the phases include fuel 
load, crew load, pre-start, launch, staging (FS separation 
and USE start), LAS jettison, main engine cutoff (MECO), 
and orbit insertion with Orion separation from the Upper 
Stage. 

Given the mission timeline of system level functions, the 
next step in the PFFA was to identify for each system level 
function the lower-level functions to a selected level of 
indenture. These lower-level functions were then 
transformed into a failure structure by restating each as 
functional failure or failure event. Next, the functional 
failures are analyzed for their effects on the applicable 
physical design. The resulting failure effects, labeled as 
hazards or undesired conditions, were grouped by 
commonality of their effect on an element or the launch 
vehicle. These groupings were labeled as failure bins 
which are listed for further analysis. 

Given the list of failure bins, the next step in the PFFA was 
to determine the "bounding" failure scenario for each bin. 
The “bounding” failure scenario is selected based on the 
frequency of occurrence, the impact on system risk, and the 
potential for design improvement. 


Given the “bounding” failure scenarios, a short list (a 
handful of scenarios) was established, based on project 
priorities, for further in-depth focused analysis. 
Specifically, the items on the short list were subjected to in- 
depth physics based dynamic simulation modeling to 
understand the physics of failure, the probability of launch 
vehicle failure or break up, and the launch abort system 
capability to save the crew [1]. 

4.2 The Ares I Current and Forward Plans for the 
Detailed Design and Development Phases 

During the early design phase through the system PDR, 
several mission events or issues were identified and 
pursued for in-depth analysis. Examples of these critical 
areas/issues are first stage separation and the system thrust 
oscillation. In the separation study an integrated 
probabilistic analysis was performed which supported the 
design solution. In the thrust oscillation case probabilistic 
analysis was used to evaluate the risk of the various viable 
design solutions from which one was chosen. Both areas 
were addressed by the time of the system PDR. 

Because of the extensive heritage hardware used in the 
Ares I vehicle, the Ares I elements (FS, USE, and US) had 
completed their PDR and were starting their critical design 
review (CDR) while the system design and system PDR 
was underway. As a result, concurrent with the PFFA and 
integrated probabilistic design analysis, an extensive 
probabilistic design analysis (PDA) effort has been 
performed at the component level. Examples include US 
tank buckling, US tank weld structural failure, USE gas 
generator fuel valve failure, fire/explosion due to fuel and 
oxidizer leaks within the interstage (part of the US), and 
USE oxidizer turbopump (OTP) and fuel turbopump (FTP) 
inducer high-cycle fatigue (HCF). Because of export 
control restrictions details of the cases listed above cannot 
be released at this time. 

With regard to future work, a tremendous amount of PDA 
is planned for the detailed and development phases. The J- 
2X PDA activity is a good example of how NASA has been 
applying and will continue applying PDA to support design 
decisions during the detailed and development phases. 

The J-2X program applies PDA as part of their physics- 
based reliability modeling to a selective set of J-2X failure 
modes. The complexity of their detailed PDA can range 
from a full scale probabilistic design model that addresses 
all critical engineering random variables through computer 
simulations to probabilistic accumulation of the fatigue life 
damage fraction that correlates to the mission failure 
probability, or to a simple stress-strength interference 


failure probability calculation. The analysis ties the 
prediction to the engine operating parameters, such as 
temperature, pressure, speed, dynamic loads, and correlates 
the prediction data with future engine development test data 
for reliability model anchoring. The J-2X program 
screening criterion for identifying the PDA candidate items 
includes the following: 

1) High failure probability and consequence; 

2) Failure history in similar parts; 

3) Uncertainty in material properties, loads, environment 
and manufacturing; 

4) New designs or risk items tracked by program or IPTs. 

Based on the screening criterion, a short list of candidates 
for probabilistic design analysis is established as forward 
work to support the design process. The short list includes 
critical failure modes on the OTP, FTP, main combustion 
chamber, and nozzle. 


4.0 CONCLUSION 

The authors of this paper tried to describe a changing 
environment with regard to using probabilistic engineering 
design analysis to support the design process. This 
changing environment has started after the Challenger 
accident and evolved over the last twenty years to reach a 
broader design community of both the Space Shuttle and 
the Ares I. The literature and applications of probabilistic 
engineering design analysis to the Space Shuttle hardware 
has provided a significant amount of learning and guidance 
to the Ares I community to continue maturing the 
probabilistic design technology. Currently a significant 
amount of probabilistic design work is planned as part of 
the forward work for all the Ares I elements. 
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